return {
get: get,
put: put,
+ post: post,
del: del
};
};
});
}
+function isProtected(targetPath) {
+ return targetPath.indexOf(getAbsolutePath('_admin')) === 0;
+}
+
function getAbsolutePath(filePath) {
var absoluteFilePath = path.resolve(path.join(gBasePath, filePath));
}
function get(req, res, next) {
- var filePath = req.params[0];
+ var filePath = decodeURIComponent(req.params[0]);
var absoluteFilePath = getAbsolutePath(filePath);
if (!absoluteFilePath) return next(new HttpError(403, 'Path not allowed'));
debug('get', absoluteFilePath);
if (!result.isDirectory() && !result.isFile()) return next(new HttpError(500, 'unsupported type'));
- if (result.isFile()) return res.sendFile(absoluteFilePath);
+ if (result.isFile()) return res.download(absoluteFilePath);
async.map(fs.readdirSync(absoluteFilePath), function (filePath, callback) {
fs.stat(path.join(absoluteFilePath, filePath), function (error, result) {
});
}
-function put(req, res, next) {
- var filePath = req.params[0];
+function post(req, res, next) {
+ var filePath = decodeURIComponent(req.params[0]);
if (!(req.files && req.files.file) && !req.query.directory) return next(new HttpError(400, 'missing file or directory'));
if ((req.files && req.files.file) && req.query.directory) return next(new HttpError(400, 'either file or directory'));
+ debug('post:', filePath);
+
var absoluteFilePath = getAbsolutePath(filePath);
- if (!absoluteFilePath) return next(new HttpError(403, 'Path not allowed'));
+ if (!absoluteFilePath || isProtected(absoluteFilePath)) return next(new HttpError(403, 'Path not allowed'));
fs.stat(absoluteFilePath, function (error, result) {
if (error && error.code !== 'ENOENT') return next(new HttpError(500, error));
- debug('put', absoluteFilePath);
-
if (result && req.query.directory) return next(new HttpError(409, 'name already exists'));
- if (result && result.isDirectory()) return next(new HttpError(409, 'cannot put on directories'));
+ if (result && result.isDirectory()) return next(new HttpError(409, 'cannot post on directories'));
if (req.query.directory) {
return createDirectory(absoluteFilePath, function (error) {
});
}
+function put(req, res, next) {
+ var oldFilePath = decodeURIComponent(req.params[0]);
+
+ if (!req.body || !req.body.newFilePath) return next(new HttpError(400, 'missing newFilePath'));
+
+ var newFilePath = decodeURIComponent(req.body.newFilePath);
+
+ debug('put: %s -> %s', oldFilePath, newFilePath);
+
+ var absoluteOldFilePath = getAbsolutePath(oldFilePath);
+ if (!absoluteOldFilePath || isProtected(absoluteOldFilePath)) return next(new HttpError(403, 'Path not allowed'));
+
+ var absoluteNewFilePath = getAbsolutePath(newFilePath);
+ if (!absoluteNewFilePath || isProtected(absoluteNewFilePath)) return next(new HttpError(403, 'Path not allowed'));
+
+ fs.rename(absoluteOldFilePath, absoluteNewFilePath, function (error) {
+ if (error) return next (new HttpError(500, error));
+
+ debug('put: successful');
+
+ return next(new HttpSuccess(200, {}));
+ });
+}
+
function del(req, res, next) {
- var filePath = req.params[0];
+ var filePath = decodeURIComponent(req.params[0]);
var recursive = !!req.query.recursive;
var dryRun = !!req.query.dryRun;
var absoluteFilePath = getAbsolutePath(filePath);
if (!absoluteFilePath) return next(new HttpError(404, 'Not found'));
+ if (isProtected(absoluteFilePath)) return next(new HttpError(403, 'Path not allowed'));
+
// absoltueFilePath has to have the base path prepended
if (absoluteFilePath.length <= gBasePath.length) return next(new HttpError(404, 'Not found'));